You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Crucius, Wesley" <WC...@sandc.com> on 2005/06/14 16:54:10 UTC

Authorization problem

I am running version 1.1.1 (using Apache on W2k3 server) and having a
problem with my authorization file.  What I want is to allow r/w access
to the whole repository except for one directory, where I want r/w
access for one group and then read-only access to a sub-directory of
that directory.  Here's an approximation of the structure

http://my-server.com/svn/repos2
                               /proj one/...
                               /proj two/...
                               /proj three
                                          /released/...
                                          /trunk/...

So essentially I want to allow read/write access to everything for all
the groups with the following exceptions for "proj three" and it's
"sub-directories":
1. No access to "proj three" for apps-hwdev (they only know hardware
anyway...)
2. read-only access to only the "proj three/released" sub-dir for
apps-swdev (the lowly application developers)
3. read/write access to all of "proj three" for rtos-swdev (the
Real-Time Operating System "gods")

Here's the relavant section of httpd.conf:
<Location /svn/>
    DAV svn
    # Repository location
    SVNParentPath E:/Apache2/svn/
    # Repository Authentication Mechanism
    AuthType Basic
    AuthName "Subversion Repository"
    AuthUserFile etc/svn-auth-file                     
    AuthzSVNAccessFile etc/svn-access-policies
    Require valid-user
</Location>

And here's svn-access-policies:
[groups]
apps-swdev = user1, user2
apps-hwdev = user3, user4
rtos-swdev = superuser1, superuser2

[repos2:/]     
@apps-swdev = rw
@apps-hwdev = r
@rtos-swdev = rw

[repos2:/proj three/]
@apps-swdev =
@apps-hwdev =
@rtos-swdev = rw

[repos2:/proj three/released]
@apps-swdev = r
@apps-hwdev =
@rtos-swdev = rw

But this doesn't seem to work... For example, users in the group
"apps-swdev" can read "/proj three/trunk".

One suspicion that I had was that the spaces needed to be specified as
in URLs (so, "/proj%20three/" instead of "/proj three/"), but that
didn't seem to have any effect.  Is there something about the order of
the sections in svn-access-policies?

My interpretation of page 102 of "THE BOOK" tells me that this should
work...
Can anyone help me see the error of my ways?

Thanks,
Wes